ARM64 + Docker results in "TUNSETIFF tun: Function not implemented"

[mlb5000]

I'm hitting a strange error when attempting to connect to OpenVPN inside a Docker container running on Apple Silicon. I do NOT have problems with this exact image/configuration elsewhere. The only difference is that this was cross-built using docker buildx.

Basic Docker configuration (you'll need to add your own command)

FROM keymetrics/pm2:16-alpine

RUN apk update
RUN apk add openvpn nano curl

Then, if I attempt to connect inside that container, it runs into problems. The host has no issues connecting to the same server with the same config file/credentials.

2021-08-02T20:19:53.236Z - stdout: 2021-08-02 20:19:53 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-08-02T20:19:53.239Z - stdout: 2021-08-02 20:19:53 WARNING: file '//app/current.txt' is group or others accessible
2021-08-02T20:19:53.240Z - stdout: 2021-08-02 20:19:53 OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2021-08-02T20:19:53.241Z - stdout: 2021-08-02 20:19:53 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2021-08-02T20:19:53.245Z - stdout: 2021-08-02 20:19:53 WARNING: --ping should normally be used with --ping-restart or --ping-exit
2021-08-02 20:19:53 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2021-08-02 20:19:53 NOTE: --fast-io is disabled since we are not using UDP
2021-08-02T20:19:53.258Z - stdout: 2021-08-02 20:19:53 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-08-02 20:19:53 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication
2021-08-02T20:19:53.292Z - stdout: 2021-08-02 20:19:53 TCP/UDP: Preserving recently used remote address: [AF_INET]92.119.177.21:1443
2021-08-02T20:19:53.293Z - stdout: 2021-08-02 20:19:53 Socket Buffers: R=[131072->131072] S=[16384->16384]
2021-08-02 20:19:53 Attempting to establish TCP connection with [AF_INET]92.119.177.21:1443 [nonblock]
2021-08-02T20:19:53.315Z - stdout: 2021-08-02 20:19:53 TCP connection established with [AF_INET]92.119.177.21:1443
2021-08-02T20:19:53.315Z - stdout: 2021-08-02 20:19:53 TCP_CLIENT link local: (not bound)
2021-08-02 20:19:53 TCP_CLIENT link remote: [AF_INET]92.119.177.21:1443
2021-08-02T20:19:53.340Z - stdout: 2021-08-02 20:19:53 TLS: Initial packet from [AF_INET]92.119.177.21:1443, sid=8f7ff4e0 445650e0
2021-08-02T20:19:53.414Z - stdout: 2021-08-02 20:19:53 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA
2021-08-02T20:19:53.419Z - stdout: 2021-08-02 20:19:53 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA
2021-08-02T20:19:53.420Z - stdout: 2021-08-02 20:19:53 VERIFY KU OK
2021-08-02T20:19:53.420Z - stdout: 2021-08-02 20:19:53 Validating certificate extended key usage
2021-08-02 20:19:53 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
2021-08-02 20:19:53 VERIFY EKU OK
2021-08-02 20:19:53 VERIFY OK: depth=0, CN=us-nyc-st002.prod.surfshark.com
2021-08-02T20:19:53.479Z - stdout: 2021-08-02 20:19:53 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1583'
2021-08-02T20:19:53.480Z - stdout: 2021-08-02 20:19:53 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]'
2021-08-02T20:19:53.480Z - stdout: 2021-08-02 20:19:53 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2021-08-02T20:19:53.481Z - stdout: 2021-08-02 20:19:53 [us-nyc-st002.prod.surfshark.com] Peer Connection Initiated with [AF_INET]92.119.177.21:1443
2021-08-02T20:19:54.588Z - stdout: 2021-08-02 20:19:54 SENT CONTROL [us-nyc-st002.prod.surfshark.com]: 'PUSH_REQUEST' (status=1)
2021-08-02T20:19:54.845Z - stdout: 2021-08-02 20:19:54 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 162.252.172.57,dhcp-option DNS 149.154.159.92,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,block-outside-dns,route-gateway 10.7.7.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.7.7 255.255.255.0,peer-id 0,cipher AES-256-GCM'
2021-08-02T20:19:54.847Z - stdout: 2021-08-02 20:19:54 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.5.2)
2021-08-02T20:19:54.849Z - stdout: 2021-08-02 20:19:54 OPTIONS IMPORT: timers and/or timeouts modified
2021-08-02 20:19:54 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp
2021-08-02T20:19:54.849Z - stdout: 2021-08-02 20:19:54 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
2021-08-02 20:19:54 Socket Buffers: R=[131072->425984] S=[87040->425984]
2021-08-02 20:19:54 OPTIONS IMPORT: --ifconfig/up options modified
2021-08-02 20:19:54 OPTIONS IMPORT: route options modified
2021-08-02 20:19:54 OPTIONS IMPORT: route-related options modified
2021-08-02 20:19:54 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2021-08-02 20:19:54 OPTIONS IMPORT: peer-id set
2021-08-02 20:19:54 OPTIONS IMPORT: adjusting link_mtu to 1658
2021-08-02 20:19:54 OPTIONS IMPORT: data channel crypto options modified
2021-08-02 20:19:54 Data Channel: using negotiated cipher 'AES-256-GCM'
2021-08-02T20:19:54.851Z - stdout: 2021-08-02 20:19:54 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-08-02T20:19:54.852Z - stdout: 2021-08-02 20:19:54 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2021-08-02T20:19:54.853Z - stdout: 2021-08-02 20:19:54 ROUTE_GATEWAY 10.1.0.1
2021-08-02T20:19:54.854Z - stdout: 2021-08-02 20:19:54 ERROR: Cannot ioctl TUNSETIFF tun: Function not implemented (errno=38)
2021-08-02 20:19:54 Exiting due to fatal error

I get this specific failure no matter what base OS the Docker image uses (both Ubuntu and Alpine). The only important factor seems to be that the docker image trying to use the openVPN client is running on an aarch64 host (and that the arm64 image is then pulled from the manifest).

[Gert Döring]

OpenVPN on ARM64 generally works fine (confirmed with Tunnelblick on an MBA M1).

This seems to be something with the Docker stuff, which refuses one of the ioctl() calls we need to set up the tun interface properly.

Why that would happen, I do not know.

Is this "MacOS on M1, with Docker and Linux inside" or "Linux on M1, with Docker and Linux inside"? Not sure Docker can translate this sort of kernel calls...

[Gert Döring]

We can't help anyone if people are not talking to us.

Closing this as WONTFIX, as this is outside OpenVPN control anyway.

Things do work when running OpenVPN on a Linux/Docker? (or Kubernetes) Container, provided /dev/net/tun exists - so, no idea what Apple Containers need here.